[asterisk-bugs] [JIRA] (ASTERISK-27031) Unable to configure TLSv1.2 with PJSIP

Fri Jun 2 09:55:58 CDT 2017

delvar created ASTERISK-27031:
---------------------------------

             Summary: Unable to configure TLSv1.2 with PJSIP
                 Key: ASTERISK-27031
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27031
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: pjproject/pjsip
    Affects Versions: 13.16.0
         Environment: Centos 7
            Reporter: delvar

When setting up a transport i am unable to enforce TLS1.2, only TLS1.0.

h3. My pjsip.conf

{noformat}
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/cert.pem
priv_key_file=/etc/asterisk/keys/privkey.pem
method=tlsv1
{noformat}

h3. When testing tls1.2 with OpenSSL 
{noformat}
openssl s_client -tls1_2 -host gw03.dev -port 5061
CONNECTED(00000003)
140260503979936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
{noformat}

When testing with OpenSSL and not using the -tls1_2 option it works as expected and the TLS handshake completes. (not shown here)

h3. Asterisk Code
https://github.com/asterisk/asterisk/blob/13.16/res/res_pjsip/config_transport.c we see the list of allowed values and the mapped PJSIP Methods on line 885+
{noformat}
	if (ast_strlen_zero(var->value) || !strcasecmp(var->value, "default")) {
		state->tls.method = PJSIP_SSL_DEFAULT_METHOD;
	} else if (!strcasecmp(var->value, "unspecified")) {
		state->tls.method = PJSIP_SSL_UNSPECIFIED_METHOD;
	} else if (!strcasecmp(var->value, "tlsv1")) {
		state->tls.method = PJSIP_TLSV1_METHOD;
	} else if (!strcasecmp(var->value, "sslv2")) {
		state->tls.method = PJSIP_SSLV2_METHOD;
	} else if (!strcasecmp(var->value, "sslv3")) {
		state->tls.method = PJSIP_SSLV3_METHOD;
	} else if (!strcasecmp(var->value, "sslv23")) {
		state->tls.method = PJSIP_SSLV23_METHOD;
	} else {
		return -1;
	}
{noformat}
As you can see there is no mapping for PJSIP_TLSV1_2_METHOD, 

h3. PJSIP Code

http://svn.pjsip.org/repos/pjproject/trunk/pjsip/src/pjsip/sip_transport_tls.c

{noformat}
   switch(ssl_method) {
    case PJSIP_SSLV2_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_SSL2;
	break;
    case PJSIP_SSLV3_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_SSL3;
	break;
    case PJSIP_TLSV1_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_TLS1;
	break;
    case PJSIP_TLSV1_1_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_TLS1_1;
	break;
    case PJSIP_TLSV1_2_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_TLS1_2;
	break;
    case PJSIP_SSLV23_METHOD:
	out_proto = PJ_SSL_SOCK_PROTO_SSL23;
	break;
    default:
	out_proto = PJ_SSL_SOCK_PROTO_DEFAULT;
	break;
    }   
{noformat}

h3. Critical
This is critical as TLS 1 and 1.1 are vulnerable to a range of exploits and should not be used.
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

--
This message was sent by Atlassian JIRA
(v6.2#6252)